Spoofing Firefox protected objects

Wednesday, 14 November 2007

I’ve been hacking Firefox in my spare time and I thought that it had adequate protection against spoofing properties like document.domain. I was wrong This could turn into a browser exploit in future if the spoofed objects are accepted by Firefox internally (I don’t think they are, but you never know 😉 ).

There are two ways of spoofing document.domain, 1) You can define a getter which overwrite the call to document.domain and 2) You can overwrite the prototype

The first technique allows you to spoof nearly everything apart from the location object. I think the location provides some extra security checks and I’m currently investigating spoofing that as well.

The reason this is not an issue, is because firefox has 2 window objects, an internal window, and an external window.. the external window is modifiable, and the internal window is not, so when you modify document.domain rewriting prototypes and stuff at the external window, the internal window wont be changed..